Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Cisco ACL bug when using VPN crypto engine accelerator, PPPoE dialer or ip route-cache
From: Ilker Temir <itemir () cisco com>
Date: Thu, 15 May 2003 18:56:36 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is in response to the e-mail sent by Olivier. The original e-mail is
available at
http://www.securityfocus.com/archive/1/321552/2003-05-12/2003-05-18/0

Hi Olivier,

We can confirm that the inbound ACL is processed twice for IPSec traffic
which is the root cause of the issue you have described.

This issue is being addressed by the Cisco Bug ID CSCdz54626. Cisco's
Product Security Incident Response Team (PSIRT) was not previously aware
of it. We are now addressing it with due priority.

While this issue does cause administrative overhead to configuration,
there is no significant security impact.

Permitting internal networks in the inbound ACL may be exploited to inject
spoofed packets into the network. However this has no practical impact
while using static crypto maps. With static crypto maps, the unencrypted
traffic will be dropped even if it passes the inbound ACL.

In the case of dynamic crypto maps, in order to bypass the inbound ACL to
inject spoofed packets, an attacker would also require control of the
neighboring routers that are connected to the interface where the inbound
ACL is applied, or the medium in between the neighbors.

Protecting our customers' networks is very important for us and we are
always open for vulnerability reports regarding any Cisco product.
Such reports should be directly sent to psirt () cisco com or
security-alert () cisco com 

Thank you again for your report,

Regards,

- --
Ilker Temir
Incident Manager, PSIRT
Cisco Systems, Inc.
+32 2 704-6031
http://www.cisco.com/go/psirt

On Wed, 14 May 2003, Olivier wrote:



Platform Cisco 1760 dual Ethernet

IOS 12.2.xT IP/ADSL/FW/IDS PLUS IPSEC 3DES

Environment: Site to site VPN for small offices.



ACL are not properly parsed as soon as you enable:

crypto engine accelerator
PPPoE dialer
Ip route-cache


Without the feature mentioned above, you can apply an ACL on the outside
interface allowing only inbound ISAKMP and IPSEC traffic.

I.E.

ip access-list extended Block-Inbound-unwanted-Trafic

 permit udp 100.100.100.0 0.0.0.255 host 102.168.1.2 eq isakmp

 permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2

 deny   ip any any log



If you activate the crypto engine, the ACL is parsed as well on decrypted
traffic which forces you to allow as well all traffic for the decrypted
traffic.
I.E. If you are using 10.x addressees internally and the subnet
10.200.0.0/24 for your Soho LAN. Can be worst if you have a huge network
inside where you would prefer to add permit ip  any 10.200.0.0 0.0.0.255.


ip access-list extended Block-Inbound-unwanted-Trafic
 permit udp 100.100.100.0 0.0.0.255 host 102.168.1.2 eq isakmp
 permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2
 permit ip  10.0.0.0 0.255.255.255 10.200.0.0 0.0.0.255  <----------- () %#$%@
 deny   ip any any log


This looks pretty bad for a VPN box running a Firewall feature set IOS
seen as the best candidate for VPN for small offices.

The worst is the reply from Cisco:
-------------------------------------------------------------------
We will be addressing this in the next few months however
the release time frame could be as late as the end
of the year.

We do have plans to address it but do
not expect it in a released image until the
last calendar quarter of the year. If its possible we
can get it done and released sooner than what I've
mentioned, we will do it, no guarantees however.
-------------------------------------------------------------------

We would have hope that they put more resources and concern in solving
security issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iD8DBQE+w8bR8/wE0ppYtwURAunzAJ4oUlepUBjdJzQ1jZfBQGNI3UNNkwCcCcRh
CJBxZPAMkMO9/PwFxVcibTs=
=4dJU
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]